Goldman Sachs, the only Enterprise that sits on the Board of the Open Networking Foundation (ONF), had a key speaking slot at the 2013 Open Networking Summit in the “Software Defined Networking (SDN) for Enterprises” session. Steve Schwartz, global head of Telecommunications and Market Data Services at GS, gave the presentation. Highlights from this session include:

Goldman mentioned commodity switches twice.

Within weeks/months, they will be going into production with two (2) SDN deployments. One of them is the commonly talked about SDN application using commodity hardware as matrix switches with an app on top of a controller to direct flows; the other is to replace bump in the wire firewalls. There are several spots in the Goldman network that have FWs deployed that are costly to buy and manage. Schwartz stated that maintaining FW state is not a requirement for these areas of the network for Goldman. They’ll be using commodity switches as glorified packet filters that will require bi-directional ACLs to be configured from the controller and delivered down to the switches forwarding tables.

It took a junior engineer just a few weeks to develop a lightweight FW application that sits on top of a SDN controller

Floodlight was mentioned by Goldman, but not stated if it was being used for one or both applications mentioned. No surprise given the investment of GS into Big Switch Networks.

This can raise the question for Enterprises – are stateful firewalls *required* for single tenant data centers for intra-DC traffic as bandwidth requirements increase and nothing but multi-10G firewalls are available that cost 100s of thousands of dollars for environments that are already deploying 40G/100G switching infrastructure? Same actually holds true for virtual security solutions leveraging ACLs like the Cisco Virtual Security Gateway meant for intra-tenant traffic. Nick Buraglio wrote a few months back in an article: “Think of buying an OpenFlow capable device with 40 and 100G interfaces in it as your firewall…. Port cost is very low. CAPEX is low. OPEX is also fairly low since it is just a normal piece of network hardware. “ This is an option for those customers who want big box FWs and do not want to go down the path of scale-out designs with or without Network Functions Virtualization (NFV). We’ll see if security teams adapt and re-think requirements for statefulness in certain parts of the network and if any companies follow Goldman’s lead on SDN in the Enterprise. Note: Goldman didn’t state they were using the commodity switches and SDN FW application in the data center.

For some reason I'm thinking, well, if you give up state, you could do ACLs in Cisco 6500 or Nexus switches to achieve the same effect. with wire rate performance. With little / no programming, just paste in the ACLs.

I.e. part of the problem being solved here is the false assumption by most security professionals that only a firewall with state can deliver adequate security.

But, I think this is a good transition seeing the industry taking small steps in testing the SDN waters out. Box for box replacement, but with a new underlying architecture that has different cost models.

Should small pilots like this become successful, maybe we see more OF-enabled gear which can lead to policy enforcement on the edge when all devices are managed under a single domain and there are enough hw resources (TCAM, etc.) on the edge :)

But there will always be pods and domains. Given the circumstance, a middle box would still be needed. The middle box can be what Goldman is doing with cheap hardware, 6500 with ACLs, or a next gen FW with application level controls.

So your last comment is spot in and what I was alluding to - security teams re-thinking requirements. Some higher level security teams may not say statefulness is a req, but it is what's delivered by network teams as the norm.

Kind of like PCI Compliance- "Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network." - page 11 https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

FW is mentioned later on in page 20, but ACLs do pass PCI compliance as far as I know.

Go figure.

Reply

Kristin Gorman

05/13/2013 10:19

Great point, Jason. I would love to see what other SDN use cases customers are finding!

That's what most vendors are saying these days. On the other hand, I would like to see what use cases incumbents that have a few million or billion in the bank are finding. Are they the experts or are the customers? :)